CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-39308 – GoCD API authentication of user access tokens subject to timing attack during comparison
https://notcve.org/view.php?id=CVE-2022-39308
GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoCD versions from 19.2.0 to 19.10.0 (inclusive) are subject to a timing attack in validation of access tokens due to use of regular string comparison for validation of the token rather than a constant time algorithm. This could allow a brute force attack on GoCD server API calls to observe timing differences in validations in order to guess an access token generated by a user for API access. This issue is fixed in GoCD version 19.11.0. • https://github.com/gocd/gocd/commit/236d4baf92e6607f2841c151c855adcc477238b8 https://github.com/gocd/gocd/releases/tag/19.11.0 https://github.com/gocd/gocd/security/advisories/GHSA-999p-fp84-jcpq https://www.gocd.org/releases/#19-11-0 • CWE-208: Observable Timing Discrepancy CWE-697: Incorrect Comparison CWE-1254: Incorrect Comparison Logic Granularity •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-36088 – GoCD Windows installations outside default location inadequately restrict installation file permissions
https://notcve.org/view.php?id=CVE-2022-36088
GoCD is a continuous delivery server. Windows installations via either the server or agent installers for GoCD prior to 22.2.0 do not adequately restrict permissions when installing outside of the default location. This could allow a malicious user with local access to the server GoCD Server or Agent are installed on to modify executables or components of the installation. This does not affect zip file-based installs, installations to other platforms, or installations inside `Program Files` or `Program Files (x86)`. This issue is fixed in GoCD 22.2.0 installers. • https://github.com/gocd/gocd/commit/96add9605096ab50c5cd4c229be1d503aff506a6 https://github.com/gocd/gocd/releases/tag/22.2.0 https://github.com/gocd/gocd/security/advisories/GHSA-gpv4-xqhc-5vcj https://www.gocd.org/releases/#22-2-0 • CWE-269: Improper Privilege Management CWE-284: Improper Access Control •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-29184 – Command Injection/Argument Injection in GoCD
https://notcve.org/view.php?id=CVE-2022-29184
GoCD is a continuous delivery server. In GoCD versions prior to 22.1.0, it is possible for existing authenticated users who have permissions to edit or create pipeline materials or pipeline configuration repositories to get remote code execution capability on the GoCD server via configuring a malicious branch name which abuses Mercurial hooks/aliases to exploit a command injection weakness. An attacker would require access to an account with existing GoCD administration permissions to either create/edit (`hg`-based) configuration repositories; create/edit pipelines and their (`hg`-based) materials; or, where "pipelines-as-code" configuration repositories are used, to commit malicious configuration to such an external repository which will be automatically parsed into a pipeline configuration and (`hg`) material definition by the GoCD server. This issue is fixed in GoCD 22.1.0. As a workaround, users who do not use/rely upon Mercurial materials can uninstall/remove the `hg`/Mercurial binary from the underlying GoCD Server operating system or Docker image. • https://github.com/gocd/gocd/commit/37d35115db2ada2190173f9413cfe1bc6c295ecb https://github.com/gocd/gocd/releases/tag/22.1.0 https://github.com/gocd/gocd/security/advisories/GHSA-vf5r-r7j2-cf2h https://www.gocd.org/releases/#22-1-0 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-29183 – Reflected XSS in GoCD
https://notcve.org/view.php?id=CVE-2022-29183
GoCD is a continuous delivery server. GoCD versions 20.2.0 until 21.4.0 are vulnerable to reflected cross-site scripting via abuse of the pipeline comparison function's error handling to render arbitrary HTML into the returned page. This could allow an attacker to trick a victim into executing code which would allow the attacker to operate on, or gain control over the same resources as the victim had access to. This issue is fixed in GoCD 21.4.0. As a workaround, block access to `/go/compare/.*` prior to GoCD Server via a reverse proxy, web application firewall or equivalent, which would prevent use of the pipeline comparison function. • https://github.com/gocd/gocd/pull/9829/commits/bda81084c0401234b168437cf35a63390e3064d1 https://github.com/gocd/gocd/releases/tag/21.4.0 https://github.com/gocd/gocd/security/advisories/GHSA-3vvq-q4qv-x2gf https://www.gocd.org/releases/#21-4-0 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-29182 – DOM-based XSS in GoCD
https://notcve.org/view.php?id=CVE-2022-29182
GoCD is a continuous delivery server. GoCD versions 19.11.0 through 21.4.0 (inclusive) are vulnerable to a Document Object Model (DOM)-based cross-site scripting attack via a pipeline run's Stage Details > Graphs tab. It is possible for a malicious script on a attacker-hosted site to execute script that will run within the user's browser context and GoCD session via abuse of a messaging channel used for communication between with the parent page and the stage details graph's iframe. This could allow an attacker to steal a GoCD user's session cookies and/or execute malicious code in the user's context. This issue is fixed in GoCD 22.1.0. • https://github.com/gocd/gocd/pull/10190/commits/a256d05de1445e6c77843f098581fc6a66fe4477 https://github.com/gocd/gocd/releases/tag/22.1.0 https://github.com/gocd/gocd/security/advisories/GHSA-qcg6-4q44-3589 https://www.gocd.org/releases/#22-1-0 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •